EOSIO RAM Resource Exploit Patch

On December 11, 2018 Block.one was made aware of an EOSIO RAM resource exploit via the EOSIO Bug Bounty Program. Block.one rapidly created a patch and distributed it to representatives of various public blockchains based on EOSIO within 24 hours, along with a number of techniques which are intended to mitigate the exploit while they deploy the patch.

As far as we are aware, the exploit was limited to allowing an attacker to bill their database RAM usage and/or CPU usage to another account on the network. It is our understanding that it would not threaten the safety of tokens or other EOSIO digital assets, nor should it allow for modification of contracts or their state.

In the event that someone is successful in consuming another account’s RAM before a network is patched there, it should be a relatively simple solution to restore the RAM after the patch is applied.

The patch only needs to be applied to block producing nodes and prevents them from including transactions which exploit the vulnerability. We have discovered a handful of smart contracts that accidentally relied upon the vulnerability. These contracts will be effectively frozen until their authors can apply a fix.

Whilst we anticipate the patch will achieve its objective we, along with the various EOSIO-based blockchain communities, will continue to monitor any additional issues identified.